Jump to content

Recommended Posts

334

500 posts
1223 BF$

I have been wanting to separate out my FPGA's from my network into VLAN's for a while and decided today was the day. And before I forget how to do this, maybe this setup helps someone else as I found this confusing AF. My network is piecemeal over the years, if something broke, get a new one. If I needed more ports, get another switch. So nothing matches up to the current Ubiquiti unifi lineup. Good or bad, I didn't come across a guide to throw it all together for a newb like myself. If anyone has better setup please tell me what can be done better. Does any of the listed gear matter? Not really except the controller for the USG and would suggest any recent Ubiquiti AP's as they are flawless. Pro, Lite, and LR are amazing. My FPGA's are wired so they will get a miner VLAN and we will setup an IoT Wifi VLAN so we can test from a phone back to the main network and the miner VLAN. With this setup I would break up each group of miners. Like hashaltcoin FPGA gets their own VLAN, brand1 of ASIC gets its own VLAN, brand2 of ASIC gets it own VLAN, AMD GPU's get their own VLAN, NVidia GPU's get their own VLAN, shady wallet you downloaded from a bot on Discord on its own malware PC, its own VLAN. Let all that garbage talk to each other in their own zone of spam, but not me. I am getting too old for the shady shenanigans. Blockstream, Asicboost bois and all you spammers hearing me? Maybe a your favorite crypto laptop gets its own VLAN that nothing can talk to?

Gear
Ubiquiti USG Router
Ubiquiti 8-Port Toughswitch POE
Ubiquiti EdgeSwitch 24 Lite
Ubiquiti Cloudkey Gen 1
Ubiquiti AC-Lite
Ubiquiti AC-Pro

Diagram of what I am setting up. Using draw.io and Vizio stencils from the UBNT community mega link https://mega.nz/folder/ctdX2IiY#y3vZx3xp5KUevei3vDpquQ

ubiquiti-vlan-network.thumb.png.26c7467b1fe45e952b6960fab8bd871a.png

First we assume you already have the USG, a managed switche(s), and Access Point(s) setup and know how to login to everything. Since my switches aren't the unifi line you can figure out your random brand of switch VLAN config, and its basically the same idea.

Lets get an IoT wireless network setup as a test network and see how this works for wifi.

Bottom Left Gear Icon -> Networks -> + Create New Network

When you type in the IP address I am matching the VLAN to the IP number. After that click Update DHCP Range to automatically fill in the rest. Click Save.

image.thumb.png.9cbfb2940b856a1bab0e01d393697815.png

Now create a Wifi network to test our new VLAN on.

Wireless Networks -> + Create New Wireless Network

Settings below are basically the same as a typical Wifi SSID setup, except we clicked the Advanced Options and selected VLAN with our new VLAN number.

image.thumb.png.7c21ddae056d28af64e867e4cfe4c883.png

My toughswitch port 8 is connected to my EdgeSwitch Lite port 24 and then EdgeSwitch Lite port 23 is connected to my USG router.

Now because I have a Mickey Mouse setup. I need to tag all of this back to where the Access Points are. So first I went into my ToughSwitch. Under VLANS tab I added a VLAN ID 30 with comment IoT put port 8 as T and checkmarked enable. Save this and wait for the switch to interface to pop up again.

image.png.f0a6fe6c7749650b5ca50a7a25f851c9.png

Now to the EdgeSwitch which gave me pure misery since I wasn't sure how to tag untag and exclude, turns out its very simple. #REKT

Basically I tagged [T] the ports connecting the devices together. Port 23 and 24 like mentioned above how the ToughSwitch and USG router connect to the EdgeSwitch.

image.thumb.png.9aca637396e8786ca05b9b6e34d4251a.png

Now you should be able to connect a phone to the IoT wifi and get internet. If not either you did something wrong or I missed something, and most likely I missed something since that was very easy so far, a bit too easy.

Next what I wanted was to put the FPGA miners on their own hard wired VLAN which are on my EdgeSwitch port 14 and 16. Lets do another VLAN Corporate Network but this time use VLAN 40 and 192.168.40.1. Because we aren't using wifi this time, no need to bother with another SSID.

image.thumb.png.ca7970734367956a0560993a0d81d6b6.png

Now we have our shiny new VLAN 40, but we still need to change the EdgeSwitch to Exclude and Untag. This would be whichever switch your Miner spam thing is connected to. Notice we Exclude port 14 and 16 in the default VLAN 1. And then untag port 14 and 16 in VLAN 40. I am keeping the Tags [T] all the way through, but I don't think this has to really travel to the ToughSwitch, only from the EdgesSwitch to the USG router. But I am tired and would rather write this guide.

image.thumb.png.b977f1f04203b48a3207cc1f5d916166.png

Now reboot or disconnect your miner so it grabs the new dhcp addresses. In the left Icon of a laptop in the USG [Clients], click that and see if you thing is showing up after maybe 5-10 minutes of waiting.

image.png.25998025cf619544d3bc919894951c1f.png

When it does show up try going to the IP address from the main PC/Laptop you are setting this up from, to make sure you can logon. Also double check from your phone on the IoT Wifi if you can login. Right now everything can still talk to each other. Let's stop that.

Go to the Gear -> Routing & Firewall -> Firewall -> Groups -> + Create New Group

And lets create some useful stuff. The main thing we want is a private network full address group to block. Below to easy copy and paste them in if you type too slow.

RFC1918
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

image.thumb.png.4ba68e04493924a0dd8eae185c25614f.png

Then we want to create the Firewall rules to allow things to happen and then block the rest. Your final order should look something like this once you finish the next steps.

image.thumb.png.71ff7b80b991808b006b2dc042d719e6.png

Routing & Firewall -> Firewall -> LAN IN -> + Create New Rule

Just copy the settings, this blocks IoT VLAN from talking to anything else.

image.thumb.png.003c5374bd02b55a1fac6946edc46348.png

Now we block the miner VLAN to everything else.

image.thumb.png.4dd999346d397c1459f515a9df20203c.png

Now try from the IoT Wifi on your phone to connect to anything. If it doesn't connect to a PC or your miners, this is a good sign that the setup is starting to come together.

Now lets create one more rule so you can login to your stuff from the PC you are setting this up from.

image.thumb.png.80d4f789064c7bfc583fe911544c6270.png

Now your junk will stay spamming itself but you can still login to them. You can then start messing around with that allow rule. Such as source -> Only from a specific IP address and Destination -> Only specific set of ports. Play around in the Groups tab to add more groups like a Group called 80, 443 since those are probably the only ports you need for most everything. make a group called Master and input a couple IP's to be your only controlling devices.

Hopefully this helps someone trying to connect a spaghetti of switches, access points, and random devices together and block the stuff inside the VLAN's from talking too much BS. If you like the guide, consider donating to Carsen's patreon in my signature.

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post


Link to post
Share on other sites
334

500 posts
1223 BF$

If and I don't think I encountered this, but if something appears stuck.

ssh into your USG router and type

clear connection-tracking

and say yes when it asks. To get your login credentials for ssh. Go to gear -> site -> scroll to the bottom -> Device Authentication -> SSH Authentication and make sure this is enabled with a username and password.

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post


Link to post
Share on other sites
Ghost    Ghost
258

326 posts
659 BF$

Just got myself a Unifi network setup. UDM + US-8 + US-8-60W + USW Flex Mini + US-24 + UAP-AC-M x 2 and I love it!

Looking to possibly expand into having dual WAN failover and load balancing with a USG Pro, but their upcoming USW Pro looks a bit better. Might be worth the wait?

  • Like 1

Founder of BlockForums.org - PM me for any help - Join our Discord Server: https://discord.gg/UPpQy3n

Share this post


Link to post
Share on other sites
334

500 posts
1223 BF$
13 minutes ago, Ghost said:

Just got myself a Unifi network setup. UDM + US-8 + US-8-60W + USW Flex Mini + US-24 + UAP-AC-M x 2 and I love it!

Looking to possibly expand into having dual WAN failover and load balancing with a USG Pro, but their upcoming USW Pro looks a bit better. Might be worth the wait?

Looking at what to do next myself. The USG that I have, kind of sucks since I want QOS now and that will take the poor little square to its knees. With the vlan setup being somewhat easy to setup on these, I would like to stay in the unifi universe. So UDM Pro, USG Pro, or wait for whatever they are releasing next. Otherwise I might just go pfsense since I can build around what I am looking for. Unifi though is just so sweet with how its setup, too bad their lower end hardware can't do simple things like QOS on high speed connections.

  • Like 1

If you enjoy my content please consider donating to the Denarius creator - https://www.patreon.com/carsenk
Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post


Link to post
Share on other sites
Ghost    Ghost
258

326 posts
659 BF$
Looking at what to do next myself. The USG that I have, kind of sucks since I want QOS now and that will take the poor little square to its knees. With the vlan setup being somewhat easy to setup on these, I would like to stay in the unifi universe. So UDM Pro, USG Pro, or wait for whatever they are releasing next. Otherwise I might just go pfsense since I can build around what I am looking for. Unifi though is just so sweet with how its setup, too bad their lower end hardware can't do simple things like QOS on high speed connections.

Yea hearing that the USG Pro only does 250 mbit/sec throughput is a bit disappointing, but definitely faster than the USG so maybe the UXG Pro will knock things out of the park, but the value we will have to see about seeing as the USG Pro can be found $300 USD roughly. The setup process of Unifi products has been amazingly simple, way better than I remember. No hiccups and so many options like VLANs, full control.

 

I guess the USG Pro is super loud with stock fans, noctua replacement fans available though to swap out to.

 


Founder of BlockForums.org - PM me for any help - Join our Discord Server: https://discord.gg/UPpQy3n

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...